Methods for threshold password-hardened encryption and decryption

ABSTRACT

A Computer-implemented method is provided for encrypting data by a server in cooperation with a predetermined number of rate limiters. The method includes receiving, by the server, a user identification, and a password to be encrypted and creating a secret message, the secret message being a key suitable for use with a symmetric key encryption/decryption scheme. The method further includes generating, on the basis of a predetermined interactive cryptographic encryption protocol, a ciphertext which encrypts the user password, and the secret message using secret keys of the rate limiters of the subset, where the threshold is smaller than or equal to the number of rate limiters, and the protocol is adapted such that the server needs only to interact with a subset of the predetermined size of the number of rate limiters for decryption of the ciphertext to recover the secret message.

CROSS REFERENCE TO RELATED APPLICATION:

The present application takes priority from European Patent Application No. 20167386.0, filed on Mar. 31, 2020, the contents of which are incorporated herein by reference.

The present invention relates to encrypting and decrypting data, and more particularly to computer-implemented methods for encrypting and decrypting user data by a server in cooperation with a set of rate-limiters.

BACKGROUND OF THE INVENTION

An increasing amount of sensitive information is collected, processed, and made accessible by online services. In the classic authenticate-then-decrypt mechanism, an end-user is first authenticated by means of a password, followed by the retrieval of the user data, which is typically encrypted under a static server secret key, or sometimes even stored in plain. This classic approach is proven to be ineffective to prevent data breaches, especially against insider attackers that have full control of (the server hosting) the database. Not only can the attacker guess the passwords of individual users using offline brute-force attacks, it can also directly learn the master key and hence all user data. Lai et al. [LER⁺ 18] introduced password-hardened encryption (PHE) to strengthen the security of the authenticate-then-decrypt mechanism. Inherited from the notion of password-hardening [LESC17], PHE involves an external party in addition to the server, known as the rate-limiter, who only assists in the computation obliviously. PHE allows the server to derive a data key that depends on the password of the user, the server key, and the rate-limiter key, while the rate-limiter remains oblivious to the password and the data key.

Thus, the core idea is to introduce an external crypto service, the rate-limiter, that supports the encryption and decryption of data on the server without getting access to them. Since interaction with the rate-limiter is needed, offline brute-force attacks are no longer possible, and online attacks can be rate-limited.

Intuitively, the security of PHE states that, neither the server nor the rate-limiter alone should learn anything about the encoded password and the data key without cooperating with each other. To recover the data key, a corrupt party must communicate with the other party, who rate-limits decryption attempts. Finally, PHE supports key-rotation, which allows to rotate the keys of the server and rate-limiter with succinct communication. Thereafter, the server can locally update all ciphertexts without further interaction with the rate-limiter or end users. This property of key-rotation is demanded by the payment card industry data security standard (PCI DSS) [PCI16].

While PHE significantly improves security, it also introduces availability and trust issues due to the introduction of an external rate-limiter. If the rate-limiter is unreachable, e.g., due to network failure or malicious attacks, the data would become unavailable to the end users as the server cannot provide decryption service alone. Even worse, if the rate-limiter key is lost, then all user data is effectively lost permanently. These potential issues may discourage service providers from deploying PHE, as they may not want to ultimately depend on third parties for emergency access to their data. The naïve solution of duplicating the rate-limiter into multiple instances increases availability, but at a cost of security. If any one of the instances of the rate-limiter is corrupt, any benefit brought by PHE would be nullified.

SUMMARY OF INVENTION

Therefore, the object of the present invention is to provide methods for encrypting and for decrypting user data which at least alleviate the drawbacks mentioned above.

This object is solved by the method according to the independent claims. Advantageous embodiments are defined in the respective dependent claims.

Thus, the invention provides a computer-implemented method for encrypting data by a server in cooperation with a predetermined number of rate-limiters,

the predetermined number being greater than 1,

each of the rate-limiters being a respective processing unit different from each other and from the server, and having a respective secret key, sk₁, . . . , sk_(t), . . . , sk_(m),

the server having a predetermined secret key, sk₀,

the method comprising:

receiving, by the server, from the user, a user identification, un, a password, pw, to be encrypted,

creating, by the server, a secret message, M,

the secret message, M, being a key suitable for use with a predetermined symmetric key encryption scheme,

generating, by the server in cooperation with a subset, P, of a size t′, which is equal to or greater than a predetermined threshold, t, out of the predetermined number, m, of rate-limiters, on the basis of a predetermined interactive cryptographic encryption protocol, a ciphertext, C, which encrypts the user password, pw, and the secret message, M, using their respective secret keys of the rate-limiters of the subset, the threshold, t, being smaller than or equal to the predetermined number, m, of rate-limiters, and the predetermined interactive cryptographic protocol being adapted such that the server needs only to interact with a subset, P, of the predetermined size, t, of the predetermined number, m, of rate-limiters for decryption of the ciphertext to recover the secret message, storing, by the server, the ciphertext, C, in association with the user identification, un, and deleting the secret message, M, and the password, pw.

Advantageous embodiments of the invention include the the following features.

The method may further comprise:

generating, by the server, a server nonce, n₀, on the basis of a predetermined random process,

receiving, by the server, a predetermined number of rate-limiter nonces, n₁, . . . , n_(i), . . . , n_(m), each rate-limiter nonce, n_(i), created by a respective rate-limiter on a basis of a random operation,

making known the nonces to the predetermined number, m, of rate-limiters, using the nonces for generating the ciphertext, C.

Hereby, the ciphertext, C, may be a tuple, C₀, C₁, encrypted with a predetermined symmetric encryption key which is a part of the server secret key,

the tuple being computed as C ₀ =H ₀(pw,n)·H ₀(n) ^(s) ⁰ C ₁ =H ₁(pw,n)·H ₁(n) ^(s) ⁰ ·M wherein: H₀, H₁ representing independent Hash functions, s ₀ is part of a conceptual rate-limiter key which is secret-shared to the predetermined number of rate-limiters on the basis of a predetermined linear secret sharing scheme with a reconstruction threshold equal to the subset wherein for a given subset of rate-limiters, there exists a public linear combination such that s₀=Σ_(j=1) ^(t)λ_(j)s_(i) _(j) holds, with t denoting the number of rate-limiters of the subset; λ being a predetermined security parameter.

Hereby, for any subset of the number of rate-limiters H₀, H₁ may be expressed as H ₀(n) ^(s) ⁰ =H ₀(n)^(Σ) ^(i∈P) ^(λ) ^(P,i) ^(s) ^(i) H ₁(n) ^(s) ⁰ =H ₁(n)^(Σ) ^(i∈P) ^(λ) ^(P,i) ^(s) ^(i)

The method may further comprise:

receiving, by the server, from the user, along with receiving the user identification, un, and the oasswird, pw, useer data, ud, to be encrypted,

encrypting, by the server, the user data, ud, by applying the predetermined symmetric key encryption scheme using the secret message. M, as encryption key, and

storing, by the server, the encrypted user data, ud.

According to the invention further provided is a computer-implemented method for decrypting user data, ud, by a server, in cooperation with a predetermined number of rate-limiters, the user data, ud, being encrypted by the method as described above, the decrypting method comprising:

Receiving, by the server, from the user a user identification, un, and the password, pw,

retrieving, by the server, the ciphertext, C, and the encrypted user data stored in association with the uder identification, un,

recovering the secret message, M, by decrypting, by the server with its secret key, sk₀, in cooperation with a subset, P, of a size, t′, which is equal to or greater than the predetermined threshold, t, out of the predetermined number, m, of rate-limiters with their respective secret keys, sk_(i), the ciphertext, C, and deleting, by the server, the secret message, M, and the user password, pw.

The decryption method may further comprise:

Sending, by the server, the secret to the subset P′ of rate-limiters,

computing, by the server, the value Y_(0,0):=C₀·H₀(pw, n)⁻¹,

initiating the i-th rate-limiter of the subset of rate-limiters to compute the value Y_(i,0):=H₀(n)^(s) ^(i) ,

checking if Y_(0,0)=Π_(i∈P)Y_(i,0) ^(λ) ^(P,i) for some t-subset P of [m] by the server and the subset P of rate-limiters performing the steps of:

step a) computing the encryption of the value Z:=Y _(0,0) ⁻¹Π_(i∈P) Y _(i,0) ^(λ) ^(P,i) with the K being a public key, and K=K₀·K ₀, and a corresponding secret key being secret-shared among the server and the subset of rate-limiters, step b) computing an encryption of the values encryption of Z^({tilde over (r)}) and Z^({tilde over (r)}′)·H₁(n) ^(s) ⁰ for random {tilde over (r)} and {tilde over (r)}′, respectively, step c) checking whether Z^({tilde over (r)})=I, and if so, obtaining H₁(n) ^(s) ⁰ by decrypting the ciphertext C I being an identity element, and recovering the message M therefrom.

Hereby, each rate-limiter may associate a counter with the user identification, and may increment the counter if the verification step fails due to a received incorrect password, may abort the current decryption session, and may block further receiving user identification and password for a predetermined time of at least the user to which a the counter is associated.

As an alternative, each rate-limiter may implement a counter, and may increment the counter if the verification step fails due to a received incorrect password, un, may abort the current decryption session, and may blocking further receiving user identification and password for a predetermined time.

The encryption method may further comprise:

Running, by the server, prior to creating the secret message, M, a setup algorithm comprising:

defining the threshold, and the number m, of rate-limiters, generating the server secret key, sk₀, and

generating for each rate-limiter of the predetermined number, m, of rate-limiters the respective secret key, sk_(i), such that from each secret key, sk₀, . . . , sk_(m), the size, t, of the subset, P, of rate-limiters, and the predetermined number, m, of rate limiters can be derived.

Hereby, the setup algorithm may further comprise:

Running a group generation algorithm which maps the security parameter to the description of a cyclic group of prime order q with generator G, each of the the secret keys has the format

sk_(i) having the format (s_(i), k_(i), S₀, K₀, {S _(j), K _(j)}_(j=0) ^(t-1)) where s₀ is a secret key for a symmetric key encryption scheme SKE and satisfying the following properties:

${G^{s_{i}} = {\prod_{j = 0}^{t - 1}{\overset{¯}{S}}_{j}^{i^{j}}}},{i \in \lbrack m\rbrack}$ $G^{k_{i}} = \left\{ \begin{matrix} K_{0} & {i = 0} \\ {\prod_{j = 0}^{t - 1}{\overset{¯}{K}}_{j}^{i^{j}}} & {i \in {\lbrack m\rbrack.}} \end{matrix} \right.$

Hereby, verifying the validity of the secret keys may be performed by applying the following scheme:

if i=0 then return (G^(k) ⁰ =K₀)

else return (G^(s) ^(i) =Π_(j=0) ^(t-1) S _(j) ^(i) ^(j) ∧G^(k) ^(i) =Π_(j=0) ^(t-1) K _(j) ^(i) ^(j) )

The methods described above may further comprise:

Initiated by the server at least one rate-limiter out of the predetermined number of rate-limiters to perform, a rotation of the secret keys according to a predetermined key rotation protocol, and

performing, by the server, an algorithm for updating the ciphertext to an updated ciphertext with keys produced in the key rotation protocol.

Herein, the key rotation protocol may comprise:

Initiating a rate-limiter of the predetermined number of rate-limiters to request at least a part of the predetermined number of rate-limiters to perform a respective key rotation, and

receiving confirmation of the requested rate-limiters about key rotation.

The key rotation protocol may further comprise:

Requesting, by the server or initiating a rate-limiter of the predeter-mined number of rate-limiters, a part of the predetermined number of rate-limiters to perform a respective key rotation, to obtain updated secret keys,

deriving an update token for updating the ciphertext.

In particular, the key rotation may comprise:

Updating sk _(i)=(s _(i) ,k _(i) ,S ₀ ,K ₀ ,{S _(j) ,K _(j)}_(j=0) ^(t-1)) to sk′ _(i)=(s′ _(i) ,k′ _(i) ,S′ ₀ ,K′ ₀ ,{S′ _(j) ,K′ _(j)}_(j=0) ^(t-1)) where s′₀ is a new secret encryption secret key for SKE, and the following properties hold:

$\begin{matrix} \; & {K_{0}^{\prime} = {K_{0}^{\gamma} = G^{k_{0}^{\prime}}}} \\ {\forall{j \in \left\lbrack {0,{t - 1}} \right\rbrack}} & {{\overset{\_}{S}}_{j}^{\prime} = {{\overset{\_}{S}}_{j}G^{{\overset{\_}{\beta}}_{j}}}} \\ {\forall{j \in \left\lbrack {0,{t - 1}} \right\rbrack}} & {{\overset{\_}{K}}_{j}^{\prime} = {{\overset{\_}{K}}_{j}^{\gamma}G^{{\overset{\_}{\delta}}_{j}}}} \\ {\forall{i \in \lbrack m\rbrack}} & {G^{s_{i}^{\prime}} = {\prod_{j = 0}^{t}{{\overset{\_}{S}}^{\prime}}_{j}^{i^{j}}}} \\ {\forall{i \in \lbrack m\rbrack}} & {G^{k_{i}^{\prime}} = {\prod_{j = 0}^{t}{{\overset{\_}{K}}^{\prime}}_{j}^{i^{j}}}} \end{matrix}$ for β ₀, . . . , β _(t-1), γ, δ ₀, . . . , δ _(t-1) being random integers sampled by the server, and the update token being defined as (s₀, s′₀, β ₀), and a nonce n, updating the ciphertext C to the updated ciphertext C′ such that the updated ciphertext C′ is given by encrypting the tuple (C′₀, C′₁) with the new symmetric encryption key s′₀ where C′₀:=C₀·H₀(n) ^(β) ⁰ and C′₁:=C₁·H₁(n) ^(β) ⁰ , and n being a nonce produced by the server.

Herein, the subset of the prede-termined number of rate-limiters may be selected according to a predetermined access criterion.

The decryption method may further comprise:

decrypting, by the server, the encrypted user data, ud, by applying the predetermined user data symmetric key encryption/decryption scheme using the secret message M as decryption key.

Still further, the invention comprises software, which when loaded in a computer, controls the computer to implement the inventive methods as described above and as described in the detailed description.

Still further, the invention comprises a computer-readable storage medium which contains instructions, which when loaded in a computer, control the computer so as to implement the inventive methods as described above and as described in the detailed description.

Thus, the invention addresses the availability and trust issues of PHE by introducing threshold password-hardened encryption ((t, m)-PHE). The basic idea is to spread the responsibility of a single rate-limiter to m rate-limiters, such that a threshold number t of them are necessary and sufficient for successful en/decryption. As long as the adversary does not control both the server and at least t rate-limiters, the (t, m)-PHE schemes according to the invention provide the same security guarantees like those of PHE schemes. Practically speaking, this allows services to make use of rate-limiters hosted by different providers, or even have some of them “in cold storage” locally where they can be reactivated in emergency situations to avoid data loss. Additionally, this allows strengthening security by requiring more than one honest rate-limiter for successful decryption.

DETAILED DESCRIPTION

The invention and embodiments thereof will be described in connection with the drawings, wherein

FIG. 1 illustrates graphically the encryption procedure according to the invention,

FIG. 2 illustrates graphically the decryption procedure according to the invention,

FIG. 3 illustrates a block diagram of the setup algorithm,

FIG. 4 illustrates the setup protocol of the construction,

FIG. 5 illustrates a block diagram of the encryption protocol according to the invention,

FIG. 6 illustrates the encryption protocol of the construction,

FIG. 7 illustrates a block diagram of the decryption protocol according to the invention,

FIG. 8 illustrates the decryption protocol of the construction,

FIG. 9 illustrates a block diagram of the key rotation protocol according to the invention,

FIG. 10 illustrates a block diagram of the ciphertext update protocol according to the invention,

FIG. 11 illustrates the key-rotation protocol, the update algorithm, and key verification algorithm of the construction,

FIG. 12 illustrates the inverse of the throughput (i.e., amortized time per encryption or decryption request) of an implementation of the construction against the threshold of t,

FIG. 13 illustrates the throughput (i.e., the encryption and decryption requests per second) of an implementation of against the threshold of t,

FIG. 14 illustrates a non-interactive zero-knowledge proof of knowledge,

FIG. 15 illustrates the security experiment for the hiding property, and

FIG. 16 illustrates the security experiment for the soundness property.

OVERVIEW

An efficient (t, m)-PHE scheme based on standard cryptographic assumptions in the random oracle model is presented. Conceptually, the construction according to the invention is obtained by emulating the PHE scheme of Lai et al. [LER⁺18] using secure multi-party computation (MPC) protocols. Although using generic MPC protocols suffices for security, expressing the group operations used in [LER⁺18] as Boolean or arithmetic circuits would incur significant overhead. Moreover, since the scheme of Lai et al. [LER⁺18] is only proven secure in the random oracle model, emulating their scheme over an MPC would require instantiating the random oracles. Consequently, it is unlikely to obtain a security proof based on standard assumptions even in the random oracle model.

The above difficulty is overcome here by designing special-purpose MPC protocols, which exploit the linearity of the Shamir secret sharing scheme [Sha79] and the ElGamal encryption scheme [ElG84]. Since latency is the main bottleneck of PHE [LER⁺18], the main objective of the design is to minimize the round complexity, while restricting ourselves to only use relatively lightweight cryptographic tools. Assuming a communication model where the rate-limiters are not allowed to communicate with each other, the resulting encryption protocol consists of 3 rounds, while the decryption protocol consists of 6 rounds (7 rounds for “fine-grained” rate-limiting, see below under “Construction of the encryption/decryption scheme of the invention”. It is believed that this is a good trade-off between round complexity and computational complexity. A side benefit of the inventive construction is that the rate-limiters cannot tell whether the same incorrect password was used in two failed decryption attempts of the same user.

It will be shown that the inventive construction is secure under the DDH assumption in the random oracle model, assuming static corruption, where the adversary must declare the set of corrupt parties for the next time epoch when instructing a key-rotation. Note that security under static corruption is already stronger than the security defined in [LER⁺18], where the corrupt party is fixed for the entire duration of the experiments. Nevertheless, we believe that security under adaptive corruption can be achieved under standard (yet not necessarily efficient) techniques. Since our primary focus is practical efficiency, we will not discuss adaptive corruption further.

Implementation and Evaluation.

Further, a prototype implementation in Python is provided and evaluated with respect to the latency and throughput of (t, m)-PHE for multiple threshold levels t. The experimental evaluation (see below) shows that, despite the increased computation and communication complexities when compared to PHE [LER⁺18], our (t, m)-PHE scheme is still within the practical realm for a reasonably small threshold t (e.g., 3).

Related Work

The original concept of password-hardening (PH) is due to Facebook [Muf15]. Everspaugh et al. [ECS⁺15] made the first step towards formalizing PH and identified key-rotation as the key property to make such schemes useful in practice, which is also the key challenge when designing PH and PHE schemes. The notion of PH has been subsequently refined by Schneider et al. [SFSB16] and Lai et al. [LESC17]. In addition to password verification, Lai et al. [LER⁺18] later introduced the concept of password-hardened encryption (PHE) that allows associated data to be encrypted under a per-user key that is inaccessible without the user's password and provides strong security guarantees analogous to those of PH.

The construction of (t, m)-PHE in this work is based on the PHE scheme in [LER⁺18], which in turn is based on the PH scheme in [LESC17]. As observed in [LER⁺18], it is unclear how the PH scheme in [ECS⁺15] (formalized as a partially oblivious pseudorandom function) can be extended to a PHE scheme. Therefore, although the scheme in [ECS⁺15] has a natural threshold variant, it is not helpful for constructing (t, m)-PHE schemes.

A closely related notion is password-protected secret sharing (PPSS) [BJSL11], which provides similar functionality as that of (t, m)-PHE, with different formulations in syntax and security definitions. The key feature separating (t, m)-PHE from PPSS is key-rotation. Indeed, a (t, m)-PHE can be seen as a PPSS scheme with key-rotation.

Password-based threshold authentication (PbTA) [AMMM18] is a recent related notion where, instead of recovering a data key, the goal is to produce an authentication token which can be verified by the service provider. Moreover, the PbTA scheme in [AMMM18] does not support key-rotation.

Definitions

Let 1^(λ) be the security parameter and m∈

. The set {1, . . . , m} is denoted by [m], and the set {a, a+1, . . . , b} is denoted by [a, b]. We denote by ((y ₁;view₁), . . . ,(y _(m);view_(m)))←Π<

₁(x ₁ ;r ₁), . . . ,

_(m)(x _(m) ;r _(m))> the protocol Π between the interactive algorithms

₁, . . . ,

_(m), where

_(i) has input x_(i), randomness r_(i), output y_(i), and view view_(i). The view view_(i) consists of the input x_(i), the input randomness r_(i), and all messages received by

_(i) during the protocol execution. Let I⊆[m]. We use the shorthand view, to denote the set {(i,view_(i))}_(i∈I). In case that the output

_(i) is not explicitly needed, we write * instead of y_(i). For ease of readability, we omit the randomness r_(i) and/or the view view_(i) of

_(i) if they are not explicitly needed. When the randomness r_(i) is omitted, it means that r_(i) is chosen uniformly from the appropriate domain. We use the special and distinct symbols ϵ and ⊥ to denote the empty string and an error (e.g., protocol abortion), respectively. Unless specified, the symbols ϵ and ⊥ are by default not a member of any set. Let b be a Boolean value. We use the shorthand “ensure b” to denote the procedure which outputs ⊥ (prematurely) if b≠1. Let t, m∈

with t≤m. Let

and

be the password space and the message space, respectively. Let

and

_(i) refer to the server and the i-th rate-limiter respectively for i∈[m].

A t-out-of-m threshold password-hardened encryption ((t, m)-PHE) scheme for

and

consists of the efficient algorithms and protocols (Setup, Enc, Dec, Rot, Udt), which we define as follows: (crs,sk ₀ , . . . ,sk _(m))←Setup(1^(λ),1^(m),1^(t)):

The setup algorithm inputs the security parameter 1^(λ), the number of rate-limiters 1^(m), and the threshold 1^(t). It outputs the common reference string crs, the secret key sk₀ for the server and the secret key sk_(i) for the i-th rate-limiter, for all i∈[m]. The common reference string is an implicit input to all other algorithms and protocols for all parties.

$\begin{matrix} \; & \; & {{\mathcal{S}\left( {{``{ENC}"},{sk}_{0},{pw},M} \right)},} \\ \left( {\left( {n,\mathcal{C}} \right),\epsilon,\ldots\mspace{14mu},\epsilon} \right) & \left. \leftarrow{Enc} \right. & {\left\langle \begin{matrix} {{\mathcal{R}_{1}\left( {{``{ENC}"},{sk}_{1}} \right)},} \\ {\ldots\mspace{14mu},} \end{matrix} \right\rangle\text{:}} \\ \; & \; & {\mathcal{R}_{m}\left( {{``{ENC}"},{sk}_{m}} \right)} \end{matrix}$

The encryption protocol is run between the server and (possibly a subset of) the m rate-limiters. The server inputs its secret key, a password pw∈

, and a message M∈

. The rate-limiters input their respective secret keys. The server outputs a nonce n and a ciphertext C, while each rate-limiter outputs an empty string ϵ.

$\begin{matrix} \; & \; & {{\mathcal{S}\left( {{``{DEC}"},{sk}_{0},{pw},n_{0},\mathcal{C}} \right)},} \\ \left( {M,n_{1},\ldots\mspace{14mu},n_{m}} \right) & \left. \leftarrow{Dec} \right. & {\left\langle \begin{matrix} {{\mathcal{R}_{1}\left( {{``{DEC}"},{sk}_{1}} \right)},} \\ {\ldots\mspace{14mu},} \end{matrix} \right\rangle\text{:}} \\ \; & \; & {\mathcal{R}_{m}\left( {{``{DEC}"},{sk}_{m}} \right)} \end{matrix}$

The decryption protocol is run between the server and (possibly a subset of) the m rate-limiters. The server inputs its secret key, a candidate password pw∈

, a nonce n₀, and a ciphertext C. The rate-limiters input their respective secret keys. The server outputs a message M. Each rate-limiter outputs a nonce n_(i) which can be interpreted as the identifier of the ciphertext C in the view of

_(i).

$\begin{matrix} \; & \; & {{\mathcal{S}\left( {{``{ROT}"},{sk}_{0}} \right)},} \\ \left( {\left( {{sk}_{0}^{\prime},} \right),{sk}_{1}^{\prime},\ldots\mspace{14mu},{sk}_{m}^{\prime}} \right) & \left. \leftarrow{Rot} \right. & {\left\langle \begin{matrix} {{\mathcal{R}_{1}\left( {{``{ROT}"},{sk}_{1}} \right)},} \\ {\ldots\mspace{14mu},} \end{matrix} \right\rangle\text{:}} \\ \; & \; & {\mathcal{R}_{m}\left( {{``{ROT}"},{sk}_{m}} \right)} \end{matrix}$

The rotation protocol is run between the server and all m rate-limiters. Each party inputs its secret key and outputs a rotated key. The server additionally outputs an update token

. C′←Udt(τ,n,C):

The update algorithm inputs an update token τ, a nonce n, and a ciphertext C. It outputs a new ciphertext C′.

Remarks.

Although in general it is undesirable to rely on trusted parties in cryptographic primitives, in a typical application of (t, m)-PHE it is acceptable to let the server run the setup algorithm, send the rate-limiter keys to the respective rate-limiters, and securely delete those keys. This is because it is for the server's own benefit to employ a (t, m)-PHE scheme in the first place. Moreover, the rate-limiters do not contribute any private inputs other than their secret keys in any protocols. If we insist that the server cannot be trusted to run the setup, a standard solution is to emulate the setup using a secure multi-party computation (MPC) protocol.

In an embodiment of the invention, the nonces are handled differently compared to the approach in previous work [LER⁺18]. The new approach models the reality more closely and is more intuitive. Previously, the encryption and decryption protocols take a “label” as common input for both the server and the rate-limiter, where the label consists of a server-side nonce and a rate-limiter-side nonce. This model deviates from the reality where the nonce is generated during (instead of before) the encryption protocol, stored by the server, and sent to the rate-limiter during decryption. More confusingly, the label input to the encryption protocol is by default an empty string, unless it is called in the forward security experiment.

Correctness.

Correctness is defined in the obvious way and the formal definition is omitted. Roughly speaking, a (t, m)-PHE is correct whenever all honestly generated ciphertexts can be successfully decrypted to recover the encrypted message with the correct password, at long as at least t rate-limiters participate in the decryption protocol. Moreover, if a ciphertext passes decryption with respect to some secret keys, then the updated ciphertext also passes decryption with respect to the rotated keys.

Security of (t, m)-PHE.

We define the hiding and soundness properties of (t, m)-PHE. As explained in the introduction, the former consolidates the hiding, obliviousness, and forward security properties of PHE, while the latter consolidates the soundness and strong soundness of PHE.

Communication Model.

To justify the assumption that not too many rate-limiters collude, most preferably the communication between each

_(i) and

is done via a secure authenticated channel. For i≠j, there may not exist any communication channel between

_(i) and

_(j).

Construction of the Encryption/Decryption Scheme

The construction of the (t, m)-PHE scheme according to the invention is based on the PHE scheme of [LER⁺18]. The basic idea is to emulate the rate-limiter in [LER⁺18] using multiple rate-limiters. Specifically, a conceptual rate-limiter secret key is secret-shared to multiple rate-limiters, and the latter are to run several multi-party computation (MPC) protocols to emulate the conceptual rate-limiter. Although generic MPC protocols suffice for security, special-purpose protocols are designed for concrete efficiency.

FIG. 1 illustrates the encryption procedure according to the invention.

The server, holding a key-pair with a public and private key pair, has access to m rate-limiters where each rate-limiter is an independent instance having its own public and private key pair. First, the user sends his user name (i.e., the user identification), un, and his password, pw, to the server. The server, upon receiving the user identification, un, and the password, pw, creates a secret message, M, and engages in an interactive cryptographic protocol with t′ rate limiters out of the number m of rate-limiters, to generate, on the basis of an interactive cryptographic encryption protocol, a ciphertext, C, which encrypts the password, pw, and the message M, using the respective secret keys sk_(i) of the t′ rate-limiters. The message M is an encryption key suitable for use with a symmetric key encryption scheme.

The interactive cryptographic encryption protocol used herein is adapted such that the the server needs only to interact with a subset of the number m of rate-limiters for decrypting the the ciphertext, C, to recover the secret message M. This subset, P, has the size t.

The message M can then be used to encrypt (private) user data by the server, by using a symmetrical encryption/decryption scheme. After having encrypted the user data, the message M can be deleted.

FIG. 2 illustrates the procedure of decryption of the ciphertext C in order to recover the key M. Upon receiving the user name, un, and password, pw, from the user, the server tetrieves the ciphertext C and engages in an interactive cryptographic protocol with t out of the m rate-limiters to decrypt the ciphertext C. Thereby, the server obtains the key M, and can use it to decrypt the (private) user information. Thereafter, M can be deleted again.

Construction Overview

Let

be a cyclic group of prime order p with generator G, and let H₀, H₁: {0,1}*→

be two independent hash functions modelled as random oracles. The structure of the ciphertexts in the scheme according to the invention is derived from [LER⁺18]: A ciphertext C=SKE.Enc(s₀, (C₀, C₁)) consists of a symmetric-key ciphertext of two group elements C₀ and C₁ under the server secret key component s₀, and is accompanied by a nonce n. The elements C₀ and C₁ have the format C ₀ =H ₀(pw,n)·H ₀(n) ^(s) ⁰ C ₁ =H ₁(pw,n)·H ₁(n) ^(s) ⁰ ·M where s ₀ is part of the conceptual rate-limiter secret key, and M is the encrypted message. The conceptual key s ₀ is secret-shared to m rate-limiters using the well-known Shamir secret sharing scheme with reconstruction threshold t. It should be noted that in general, any linear secret sharing scheme to support more expressive access policies can be used. A subtle simplification in our scheme compared to that of [LER⁺18] is that there is no distinction between the server nonce and the rate-limiter nonce. In our scheme, the nonce n is obtained via a coin-flipping protocol between the server and t rate-limiters. The server key is now used in a secret-key encryption scheme to allow for stronger security properties.

An important feature of the Shamir secret sharing scheme is that the reconstruction function is linear. That is, given a set of t shares and their indices {(i_(j), s_(i) _(j) )}_(j=1) ^(t), there exists a public linear combination with some coefficients (λ₁, . . . , λ_(t)) such that s ₀=Σ_(j=1) ^(t)λ_(j)s_(i) _(j) . This feature is crucial for the decryption protocol, as we will see.

Formal Description

Ingredients.

Given a finite set

of size |

|≥t, let Subset_(t)(

) be an algorithm which returns an arbitrary size-t subset P of

. Let GGen:1^(λ)

(

, p, G) be a group generation algorithm which maps the security parameter 1^(λ) to the description (

, p, G) of a cyclic group

of prime order p with generator G. Let t, m ∈

with t≤m≤p. For any subset P⊆[m] and i∈P, recall the Lagrange polynomial

${l_{P,i}(x)}:={\prod_{j \in {P \smallsetminus {\{ i\}}}}{\frac{x - j}{i - j}.}}$ Let λ_(P,i):=

_(P,i)(0). For the ease of notation, we define λ_(P,0):=1 for all P. Let H₀, H₁: {0, 1}*→

and H:{0,1}*→{0, 1}^(λ) be independent hash functions to be modeled as random oracles. Let SKE.(KGen, Enc, Dec) be a symmetric-key encryption scheme. Let (GGen, Prove, Vf) be a non-interactive zero-knowledge proof of knowledge (NIZKPoK) scheme for the relation

${R_{GDL}:} = \begin{Bmatrix} {\left( {,G,p} \right),} \\ {\begin{pmatrix} A_{1,1} & \ldots & A_{1,n} & B_{1} \\ \vdots & \ddots & \vdots & \vdots \\ A_{m,1} & \ldots & A_{m,n} & B_{m} \end{pmatrix} \in} \\ {\left( {x_{1},\ldots\mspace{14mu},x_{n}} \right) \in {{\mathbb{Z}}_{p}:}} \\ {{\forall{i \in \lbrack m\rbrack}},{B_{i} = {\prod_{j = 1}^{n}A_{i,j}^{x,}}}} \end{Bmatrix}$ as described in the Appendix below. Setup (Refer to FIG. 3 and FIG. 4).

The setup algorithm first runs GGen to generate the description of the group. It then generates the secret keys sk₀, . . . , sk_(m), where sk_(i) has the format (s_(i), k_(i), S₀, K₀, {S _(j), K _(j)}_(j=0) ^(t-1)) where s₀ is a secret key for a symmetric key encryption scheme SKE and

${G^{s_{i}} = {\prod_{j = 0}^{t - 1}{\overset{¯}{S}}_{j}^{i^{j}}}},{i \in \lbrack m\rbrack}$ $G^{k_{i}} = \left\{ \begin{matrix} K_{0} & {i = 0} \\ {\prod_{j = 0}^{t - 1}{\overset{¯}{K}}_{j}^{i^{j}}} & {i \in {\lbrack m\rbrack.}} \end{matrix} \right.$

Each party can verify the validity of their keys using the subroutine KVf defined in FIG. 11.

Encryption (Refer to FIG. 5 and to FIG. 6).

Preferably, the encryption protocol begins with a coin-flipping procedure. Each party samples some randomness n_(i) and exchanges their randomness with each other. They then hash all randomness using the hash function H to create a nonce n. With the help of the rate-limiters, the server computes the tuple (C₀, C₁):=(H₀(pw, n)·H₀(n) ^(s) ⁰ , H₁(pw, n)·H₁(n) ^(s) ⁰ ·M). It then computes C←SKE.Enc(s₀, (C₀, C₁)).

Let P be any t-subset of [m]. The ciphertext components H₀(n) ^(s) ⁰ and H₁(n) ^(s) ⁰ can be expressed as H₀(n) ^(s) ⁰ =H₀(n)^(Σ) ^(i∈P) ^(λ) ^(P,i) ^(s) ⁰ and H₁(n) ^(s) ⁰ =H₁(n)^(Σ) ^(i∈P) ^(λ) ^(P,i) ^(s) ^(i) respectively.

Decryption (Refer to FIG. 7 and to FIG. 8).

The decryption protocol begins with the server informing the rate-limiters of the nonce n, and decrypting the ciphertext C to obtain (C₀, C₁). The server then computes the value Y_(0,0):=C₀·H₀(pw, n)⁻¹, while the i-th rate-limiter computes Y_(i,0):H₀(n)^(s) ^(i) . Conceptually, the parties would like to check if Y_(0,0)=Π_(i∈P)Y_(i,0) ^(λ) ^(P,i) for some t-subset P of [m]. If the relation is satisfied, meaning that the password is likely correct, the rate-limiters would jointly help the server to compute H₁(n) ^(s) ⁰ , which allows the latter to recover the message M. However, naively performing the joint computation of H₁(n) ^(s) ⁰ would cost one extra round of computation. In the following, a three-phase protocol is outlined where the round for computing the value H₁(n) ^(s) ⁰ is merged with one of the rounds in the checking procedure.

Step a) First, the parties jointly compute an encryption of the value Z:=Y_(0,0) ⁻¹Π_(i∈P)Y_(i,0) ^(λ) ^(P,i) under the public key K=K₀·K ₀, where the corresponding secret key is secret-shared among the participants. This can be done by having the parties encrypt their respective inputs using the linearly-homomorphic ElGamal encryption scheme, exchange the ciphertexts with each other (via the server), and homomorphically compute an encryption of Z locally. This costs 2 rounds of communication.

Recall that the goal of the protocol is to allow the server to obtain H₁(n) ^(s) ⁰ in the case Z=I (the identity element). We observe that for a randomly sampled {tilde over (r)} and for an arbitrary group element A, Z^({tilde over (r)})·A=A when Z=I, and uniformly random otherwise. With this observation, in the second phase, step b), the parties jointly compute the encryption of Z^({tilde over (r)}) and Z^({tilde over (r)}′)·H₁(n) ^(s) ₀ respectively for random {tilde over (r)} and {tilde over (r)}′. Similar to the first phase, this costs another 2 rounds of communication.

In the last phase, step c), the parties jointly help the server to decrypt the ciphertexts, so that the latter can check whether Z^({tilde over (r)})=I (and hence Z=I), and if so obtain H₁(n) ^(s) ⁰ . This costs 1 round of communication. Together with the first round where the server sends the nonce n, we obtain a 6-round protocol.

At this point, the decryption functionality is already achieved and the protocol can already be terminated. However, the rate-limiters have no knowledge about whether the decryption was successful or not, i.e., whether Z=I, and thus can only perform “coarse-grained” rate-limiting. That is, the rate-limiters would count both successful and failed decryption attempts, since they cannot distinguish between the two. This is often sufficient in applications, since typically a user would not login (successfully) too frequently. To support “fine-grained” rate-limiting, the server would send an extra message to the rate-limiters to allow them to decrypt the encryption of Z^({tilde over (r)}). These additional steps are highlighted in dashed boxes in FIG. 8. This costs an extra round of communication and results in a 7-round protocol.

Key Rotation and Ciphertext Update (Refer to FIG. 9, FIG. 11, as Well as to FIG. 10).

The goal of key-rotation is to update the secret keys from sk_(i) to sk′_(i),

where sk _(i)=(s _(i) ,k _(i) ,S ₀ ,K ₀ ,{S _(j) ,K _(j)}_(j=0) ^(t-1)) sk′ _(i)=(s′ _(i) ,k′ _(i) ,S′ ₀ ,K′ ₀ ,{S′ _(j) ,K′ _(j)}_(j=0) ^(t-1)) where s′₀ is a fresh secret key for SKE, and the following properties hold:

$\begin{matrix} \; & {K_{0}^{\prime} = {K_{0}^{\gamma} = G^{k_{0}^{\prime}}}} \\ {\forall{j \in \left\lbrack {0,{t - 1}} \right\rbrack}} & {{\overset{\_}{S}}_{j}^{\prime} = {{\overset{\_}{S}}_{j}G^{{\overset{\_}{\beta}}_{j}}}} \\ {\forall{j \in \left\lbrack {0,{t - 1}} \right\rbrack}} & {{\overset{\_}{K}}_{j}^{\prime} = {{\overset{\_}{K}}_{j}^{\gamma}G^{{\overset{\_}{\delta}}_{j}}}} \\ {\forall{i \in \lbrack m\rbrack}} & {G^{s_{i}^{\prime}} = {\prod_{j = 0}^{t}{{\overset{\_}{S}}^{\prime}}_{j}^{i^{j}}}} \\ {\forall{i \in \lbrack m\rbrack}} & {G^{k_{i}^{\prime}} = {\prod_{j = 0}^{t}{{\overset{\_}{K}}^{\prime}}_{j}^{i^{j}}}} \end{matrix}$ for some random integers β ₀, . . . , β _(t-1), γ, δ ₀, . . . , δ _(t-1) sampled by the server.

Given the update token (s₀, s′₀, β ₀) and a nonce n, the server can simply update each ciphertext C∈SKE.Enc(s₀, (C₀, C₁)) to C′←SKE.Enc(s′₀,(C′₀, C′₁)) where C′₀:=C₀·H₀(n) ^(β) ⁰ and C′₁:=C₁·H₁(n) ^(β) ₀.

Correctness and Security.

The correctness of the construction according to the invention follows from the correctness of SKE and the completeness of the NIZKPoK scheme described in the Appendix. Below, we state the security of the construction according to the invention with respect to the two security properties hiding and soundness. Definitions of the terms hiding and soundness, and a proof sketch for the security are given in the Appendix below.

Theorem 1 (Hiding)

If the decisional Diffie-Hellman (DDH) assumption holds with respect to GGen, and SKE is CCA-secure, then the (t, m)-PHE scheme constructed above is hiding in the random oracle model.

Theorem 2 (Soundness)

If the discrete logarithm assumption holds with respect to GGen, then the (t, m)-PHE scheme constructed above is sound in the random oracle model.

Note that there is an error in [LER⁺18], where the strong soundness property is claimed to hold assuming only the soundness of the NIZKPoK, which in turn holds unconditionally in the random oracle model. In fact, they would also need to rely on the discrete logarithm assumption.

Evaluation

Following prior work [LER⁺18], Server and rate-limiters are implemented in Python using the Charm [AGM⁺13] framework. For interactions the falcon REST framework (for the rate-limiter), Python requests (for the server), and HTTP keep-alive were used. The cryptographic primitives, namely SHA-256 and NIST P-256 have also been kept. This enables meaningful comparison between the results of this implementation and the previous scheme.

All results are measured in the LAN setting for different choices of the threshold t and number of rate-limiters m. The threshold variant requires several communication rounds, especially in the decryption protocol. Individual intermediate rounds are transmitted via POST calls. The rate-limiters use in-memory dictionaries for storing the states. In our experiment setup, the server is sending out multiple requests at once and waits for t rate-limiters to respond.

Results

Latency.

The latency of encryption (resp. decryption) of the (t, m)-PHE scheme has been measured, i.e., the time needed to complete an encryption (resp. decryption) protocol execution. For t=m=1, Table 1 shows that the average latency for encryption is 8.431 ms, and that for decryption is 18.763 is, where the averages are taken over 100 executions. Further experiments show that the threshold t and total number of rate-limiters m do not affect the latency significantly.

TABLE 1 Latency Comparison Scheme Latency in ms [LER⁺18]-Encrypt 4.501 [LER⁺18]-Decrypt 4.959 Ours-Encrypt 8.431 Ours-Decrypt 18.763

The scheme presented here has a higher latency by an estimated factor of two for encryption and a factor of three for decryption, mainly due to the additional communication rounds (2× for encryption and 3× for the decryption protocol) compared to the PHE in [LER⁺18].

Throughput.

To estimate the computational resources needed, the throughput (maximum number of encryption and decryption requests per time) of (t, m)-PHE for different thresholds t and number of rate-limiters m has been measured. For various values of (t, m) with t=m, FIG. 12 and FIG. 13 show the inverse of the throughput (i.e., amortized time per request) and the throughput against the threshold of t respectively, while the raw data is reported in Table 2. The reported numbers are all averages over 1000 executions. As shown in the figures, the amortized time per request scales somewhat linearly with the threshold t. Further experiments show that increasing the number of rate-limiters m for a fixed threshold t does not significantly affect the throughput.

There is a gradual reduction of throughput for a higher number of rate-limiters. This is due to an implementation artifact that forces sequential processing of answers. Parallelization should remove this bottleneck and help (t, m)-PHE scale more efficiently. We also expect that implementing (t, m)-PHE in programming languages with compiler optimizations, e.g., Rust [MK14], would significantly improve the performance.

DISCUSSION

In this section miscellaneous topics related to the construction according to this invention will be discussed, including different variants, an optimization, a generalization, extensions,

TABLE 2 Encryption and Decryption Requests per Second Encryption Decryption Threshold t Requests/s Requests/s 1 ([LER⁺18]) 736.59 711.07 1 524.33 192.91 3 228.71 114.38 5 145.84 67.01 8 105.36 47.03 11 65.05 27.94 13 53.79 22.03 15 48.96 19.68 and applications. Fine-Grained Rate-Limiting.

The construction according to the present invention leads to two slightly different variants of (t, m)-PHE—one which supports fine-grained rate-limiting and one which only supports coarse-grained rate-limiting. The former requires a 7-round decryption protocol while the latter requires only 6 rounds. Apart from saving communication costs, the coarse-grained variant has an additional benefit that the rate-limiters stay oblivious to whether the password was correct. For practical purposes this can also be interpreted as follows: For a login process, server and rate-limiters first execute the 6-round protocol, and the server considers the user as successfully authenticated. The last message (the 7-th round) can then be sent in the background to the rate-limiters, who will then “refund” the login attempt.

Both variants are covered by our security definitions and proofs: While the fine-grained variant is covered natively, the coarse-grained variant is also covered as it only penalizes the adversary for additional (successful) decryption attempts.

Further Optimizations.

It should be noted that the proofs π_(1,i), π_(2,i), π′_(2,i) can be merged into a single proof in a non-blackbox way. Conceptually, until the joint decryption phase, the parties only compute on random group elements and thus verifying the integrity of the messages can be delayed until right before the joint decryption phase. Merging the proofs saves some communication cost by not sending duplicating commitments corresponding to the same witness. However doing so would further complicate the presentation of our protocol and hide its structure. Therefore we choose to not incorporate this optimization.

More General Access Structures and Dynamic Rate-Limiters.

Below, extensions of the present (t, m)-PHE scheme obtained by extending the underlying secret sharing scheme are discussed.

The scheme presented here only supports a basic threshold access structure. In real-world deployments, more complex access structures might be desirable (e.g., to have a single backup rate-limiter who is normally offline, or to require rate-limiters from different geographic areas in addition to a threshold of them).

To this end, observe that the Shamir secret sharing scheme we are using can be replaced by any linear secret sharing scheme without further changing the protocol. The resulting construction supports any access policies specified by monotone span programs [KW93].

In a real-world application of (t, m)-PHE, it might happen that the keys of some rate-limiters are lost due to an incident or malicious intervention. If too many rate-limiter keys are lost, the server risks losing all the user data as they can no longer be decrypted. To prevent such situations, it is useful to consider natural extensions of (t, m)-PHE which allows recovery of lost rate-limiter keys and changing the set of rate-limiters (to a new set of possibly different size) dynamically.

While standard methods [AGY95] exist for dynamic resharing, due to our more relaxed security requirements, the round complexity of dynamic resharing can be improved: Let s, be the i-th share of the conceptual rate-limiter secret key so generated by a (t, m)-secret sharing scheme. To convert to a new (t′, m′) system, a t-subset I⊂[m] of the previous share-holders create m′ shares {s_(i,j)}_(j∈[m′]) of their shares s_(i) as follows. Each i∈I sets s _(i,0):=s_(i) and samples S _(i,k) for k∈[t′−1]. It then computes s_(i,j):=Σ_(k=0) ^(t′-1) s _(i,k)j^(k) for each j∈[m′], and S _(i,k) for k∈[t′−1]. The share s_(i,j) is sent to the new j-th rate-limiter, while {S _(i,k)=G ^(s) ^(i,k) }_(k=0) ^(t′-1) is broadcasted. Upon receiving the shares {s_(i,j)}_(i∈I), each new shareholder j∈[m′] can recover their share s′_(j) as s′ _(j)=

_(I)(s _(i) ₁ _(,j) , . . . ,s _(i) _(t) _(,j)) using a linear function

_(I) determined by the set I. To see that {s′_(j)}_(j∈[m′]) are valid shares of the conceptual secret key s ₀, note that for any t′-subset J⊆[m′], we have

$\begin{matrix} {{\mathcal{L}_{J}\left( \left\{ s_{j}^{\prime} \right\}_{j \in J} \right)} = {\mathcal{L}_{J}\left( \left\{ {\mathcal{L}_{I}\ \left( \left\{ s_{i,j} \right\}_{i \in I} \right)} \right\}_{j \in J} \right)}} \\ {= {\mathcal{L}_{I}\ \left( \left\{ {\mathcal{L}_{J}\left( \left\{ s_{i,j} \right\}_{j \in J} \right)} \right\}_{i \in I} \right)}} \\ {= {\mathcal{L}_{I}\ \left( \left\{ s_{i} \right\}_{i \in I} \right)}} \\ {= {\overset{¯}{s}}_{0}} \end{matrix}$

All parties can also compute the new public key S′_(k) for k∈[0, t′−1] as a power product of {S _(i,k)}_(i∈I) with coefficients given by

_(I). The well-formedness of s′_(j) can then be publicly verified using the new public keys S′₀, . . . , S′_(t′-1).

Non-Interactive Rotation.

The key-rotation protocol in the construction presented here is a non-interactive protocol initiated by the server. This is useful in practice as it means that not all rate-limiters need to be reachable to execute the key-rotation protocol. Instead, the server can initiate key-rotation ahead of time, and cache the messages supposed to be sent the rate-limiters until they become available. It is even possible to queue several key-rotations while a rate-limiter is unavailable (e.g., due to maintenance) and later apply all the changes in one shot.

It is, however, important to remember that leaking the key-rotation materials will defeat the self-healing properties of key-rotation. An adversary who learns this information can construct the new (resp. old) keys associated with this key-rotation material if it also has knowledge of the old (resp. new) keys. Therefore caching the key-rotation materials has to be based on a balanced decision in practical deployments.

Cold Storage.

One of the applications of (t, m)-PHE concerns cold storage: The server operator spawns a number of additional rate-limiters which suffices to perform decryption, and stores their keys offline. As long as these keys are well-protected (e.g., physically) this does not reduce the security of the deployed system and, in the case of irresponsive rate-limiters the server operator can always recover its data.

The non-interactive nature of our key-rotation protocol helps with this use-case. As long as key-rotations happen infrequently, it is possibly to store (a sequence of) key-rotation materials for each rate-limiters in cold-storage along with the rate-limiter keys. Once needed these materials can the be recombined to restore an up-to-date set of rate-limiter keys.

REFERENCES

-   [AGM⁺13] Joseph A. Akinyele, Christina Garman, Ian Miers, Matthew W.     Pagano, Michael Rushanan, Matthew Green, and Aviel D. Rubin. Charm:     a framework for rapidly prototyping cryptosystems. Journal of     Cryptographic Engineering, 3(2):111-128, 2013. -   [AGY95] Noga Alon, Zvi Galil, and Moti Yung. Efficient     dynamic-resharing “verifiable secret sharing” against mobile     adversary. In Paul Spirakis, editor, Algorithms—ESA '95, pages     523-537, Berlin, Heidelberg, 1995. Springer Berlin Heidelberg. -   [AMMM18] Shashank Agrawal, Peihan Miao, Payman Mohassel, and Pratyay     Mukherjee. PASTA: PASsword-based threshold authentication. In David     Lie, Mohammad Mannan, Michael Backes, and XiaoFeng Wang, editors,     ACM CCS 2018: 25th Conference on Computer and Communications     Security, pages 2042-2059, Toronto, ON, Canada, Oct. 15-19, 2018.     ACM Press. -   [BJSL11] Ali Bagherzandi, Stanislaw Jarecki, Nitesh Saxena, and     Yanbin Lu. Password-protected secret sharing. In Yan Chen, George     Danezis, and Vitaly Shmatikov, editors, ACM CCS 2011: 18th     Conference on Computer and Communications Security, pages 433-444,     Chicago, Ill., USA, Oct. 17-21, 2011. ACM Press. -   [ECS⁺15] Adam Everspaugh, Rahul Chatterjee, Samuel Scott, Ari Juels,     and Thomas Ristenpart. The pythia PRF service. In Jaeyeon Jung and     Thorsten Holz, editors, USENIX Security 2015: 24th USENIX Security     Symposium, pages 547-562, Washington, D.C., USA, Aug. 12-14, 2015.     USENIX Association. -   [ElG84] Taher ElGamal. A public key cryptosystem and a signature     scheme based on discrete logarithms. In G. R. Blakley and David     Chaum, editors, Advances in Cryptology—CRYPTO'84, volume 196 of     Lecture Notes in Computer Science, pages 10-18, Santa Barbara,     Calif., USA, Aug. 19-23, 1984. Springer, Heidelberg, Germany. -   [FLPQ13] Pooya Farshim, Benoit Libert, Kenneth G. Paterson, and     Elizabeth A. Quaglia. Robust encryption, revisited. In Kaoru     Kurosawa and Goichiro Hanaoka, editors, PKC 2013: 16th International     Conference on Theory and Practice of Public Key Cryptography, volume     7778 of Lecture Notes in Computer Science, pages 352-368, Nara,     Japan, Feb. 26-Mar. 1, 2013. Springer, Heidelberg, Germany. -   [FS87] Amos Fiat and Adi Shamir. How to prove yourself: Practical     solutions to identification and signature problems. In Andrew M.     Odlyzko, editor, Advances in Cryptology—CRYPTO'86, volume 263 of     Lecture Notes in Computer Science, pages 186-194, Santa Barbara,     Calif., USA, August 1987. Springer, Heidelberg, Germany. -   [KW93] Mauricio Karchmer and Avi Wigderson. On span programs. In     Proceedings of Structures in Complexity Theory, pages 102-111, 1993. -   [LER⁺18] Russell W. F. Lai, Christoph Egger, Manuel Reinert,     Sherman S. M. Chow, Matteo Maffei, and Dominique Schröder. Simple     password-hardened encryption services. In William Enck and Adrienne     Porter Felt, editors, USENIX Security 2018: 27th USENIX Security     Symposium, pages 1405-1421, Baltimore, Md., USA, Aug. 15-17, 2018.     USENIX Association. -   [LESC17] Russell W. F. Lai, Christoph Egger, Dominique Schröder, and     Sherman S. M. Chow. Phoenix: Rebirth of a cryptographic     password-hardening service. In Engin Kirda and Thomas Ristenpart,     editors, USENIX Security 2017: 26th USENIX Security Symposium, pages     899-916, Vancouver, BC, Canada, Aug. 16-18, 2017. USENIX     Association. -   [MK14] Nicholas D. Matsakis and Felix S. Klock, II. The rust     language. Ada Lett., 34(3):103-104, October 2014. -   [Muf15] Allec Muffet. Facebook: Password hashing and authentication.     https://www.youtube.com/watch?v-7dPRFoKteIU, 2015. Video. -   [PCI16] PCI Security Standards Council. Requirements and security     assessment procedures. PCI DSS v3.2, 2016. -   [Sch90] Claus-Peter Schnorr. Efficient identification and signatures     for smart cards. In Gilles Brassard, editor, Advances in     Cryptology—CRYPTO'89, volume 435 of Lecture Notes in Computer     Science, pages 239-252, Santa Barbara, Calif., USA, Aug.     20-24, 1990. Springer, Heidelberg, Germany. -   [SFSB16] Jonas Schneider, Nils Fleischhacker, Dominique Schröder,     and Michael Backes. Efficient cryptographic password hardening     services from partially oblivious commitments. In Edgar R. Weippl,     Stefan Katzenbeisser, Christopher Kruegel, Andrew C. Myers, and Shai     Halevi, editors, ACM CCS 2016: 23rd Conference on Computer and     Communications Security, pages 1192-1203, Vienna, Austria, Oct.     24-28, 2016. ACM Press. -   [Sha79] Adi Shamir. How to share a secret. Communications of the     Association for Computing Machinery, 22(11):612-613, November 1979.

APPENDIX

Computational Assumption

Below, the discrete logarithm and decisional Diffie-Hellman assumptions are recalled.

Definition 3 (Discrete Logarithm)

We say that the discete logarithm assumption holds with respect to GGen if for all PPT adversaries

${\Pr\begin{bmatrix} {x = x^{\prime}} & : & \begin{matrix} \left. \left( {,p,G} \right)\leftarrow{GG{{en}\left( 1^{\lambda} \right)}} \right. \\ \left. x\leftarrow{s\;{\mathbb{Z}}_{p}} \right. \\ \left. x^{\prime}\leftarrow{\left( {,p,G,G^{x}} \right)} \right. \end{matrix} \end{bmatrix}} \leq {{{negl}(\lambda)}.}$

Definition 4 (DDH)

We say that the decisional Diffie-Hellman assumption holds with respect to GGen if for all PPT adversaries

${\begin{matrix} {\Pr\begin{bmatrix} {b = 1} & : & \begin{matrix} \left. \left( {,p,G} \right)\leftarrow{GG{{en}\left( 1^{\lambda} \right)}} \right. \\ {x,\left. y\leftarrow{s\;{\mathbb{Z}}_{p}} \right.} \\ \left. b\leftarrow{\left( {,p,G,G^{x},G^{y},G^{xy}} \right)} \right. \end{matrix} \end{bmatrix}} \\ {- {\Pr\begin{bmatrix} {b = 1} & : & \begin{matrix} \left. \left( {,p,G} \right)\leftarrow{GG{{en}\left( 1^{\lambda} \right)}} \right. \\ {x,y,\left. z\leftarrow{s\;{\mathbb{Z}}_{p}} \right.} \\ \left. b\leftarrow{\left( {,p,G,G^{x},G^{y},G^{z}} \right)} \right. \end{matrix} \end{bmatrix}}} \end{matrix}} \leq {{{negl}(\lambda)}.}$ Non-Interactive Zero-Knowledge Proof of Knowledge (NIZKPoK)

We recall the notion of non-interactive zero-knowledge proof of knowledge (NIZKPoK) and a construction for generalized discrete logarithm relations. FIG. 14 illustrates a non-interactive zero-knowledge proof of knowledge.

Let R⊆{0,1}*×{0, 1}*×{0, 1}* be a ternary relation decidable in polynomial time. Given a common reference string (CRS) crs, we say that w is a witness of a statement x if (crs, x, w)∈R.

A tuple of PPT algorithms (Gen, Prove, Vf) is said to be a non-interactive proof of knowledge (NIZKPoK) scheme for the relation R if the following properties hold:

-   -   (Perfect Completeness) For all non-uniform polynomial-time         algorithms

${\Pr\begin{bmatrix} {{{\left( {{crs},x,w} \right) \notin R} ⩔ b} = 1} & : & \begin{matrix} \left. {crs}\leftarrow{{Gen}\left( 1^{\lambda} \right)} \right. \\ \left. \left( {x,w} \right)\leftarrow{({crs})} \right. \\ \left. \pi\leftarrow{{Prove}\left( {{crs},x,w} \right)} \right. \\ {\left. b\leftarrow \right. ⩔ {f\left( {{crs},x,\pi} \right)}} \end{matrix} \end{bmatrix}} = 1.$

-   -   (Statistical Proof of Knowledge) There exists a probabilistic         polynomial time extractor ε such that, for all (unbounded)         adversaries         ,

${\Pr\begin{bmatrix} {{{\left( {{crs},x,w} \right) \notin R} ⩓ b} = 1} & : & \begin{matrix} \left. {crs}\leftarrow{{Gen}\left( 1^{\lambda} \right)} \right. \\ \left. \left( {x,w} \right)\leftarrow{({crs})} \right. \\ \left. w\leftarrow{ɛ\left( {{crs},x,\pi} \right)} \right. \\ {\left. b\leftarrow \right. ⩔ {f\left( {{crs},x,\pi} \right)}} \end{matrix} \end{bmatrix}} \leq {{{negl}(\lambda)}.}$

-   -   Note that schemes satisfying this property in the         common-reference-string model cannot be zero-knowledge, as the         extractor ε does not have secret inputs. This is however not an         issue in the random oracle model, where ε has black-box access         to further copies of         with the randomness used to define (x, π), and simulates         responses to random oracle queries made by         . Furthermore,         is restricted to make only a polynomial number of random oracle         queries.     -   (Computational Zero-Knowledge) There exists a probabilistic         polynomial time simulator         , such that for all probabilistic polynomial time adversaries         ₁ and non-uniform polynomial time algorithms         ,

 Pr ⁡ [ ( crs , x , w ) ∈ R ⩓ 1 ⁢ ( crs , x , π ) = 1 : crs ← Gen ⁡ ( 1 λ ) ( x , w ) ← ⁢ ( crs ) ⁢ π ← Prove ⁡ ( crs , x , w ) ] - Pr ⁡ [ ( crs , x , w ) ∈ R ⩓ 1 ⁢ ( crs , x , π ) = 1 : crs ← Gen ⁡ ( 1 λ ) ( x , w ) ← ⁢ ( crs ) π ← 𝒮 ⁡ ( crs , x ) ]  ≤ negl ⁡ ( λ ) .

-   -   In the random oracle model,         simulates responses to random oracle queries made by         ₁ and         ₂. Furthermore,         ₂ is restricted to make only a polynomial number of random         oracle queries.

Let GGen:1^(λ)

crs=(

, G, p) be a group generator which generates a cyclic group

of order p with generator G. Let H:{0, 1}*→

_(p) function. We recall in FIG. 14 a generalized Schnorr protocol [Sch90] (Prove, Vf) which is made non-interactive using the Fiat-Shamir transformation [FS87]. It is well known that the scheme (GGen, Prove, Vf) is a NIZKPoK for the relation R_(GDL) if H is modeled as a random oracle.

Security Analysis

Formalization

We formalize (t, m)-PHE and define the two security properties, hiding and soundness, which consolidate previous properties of PHE [LER⁺18] by the same names.

Below, we give definitions of the two security properties hiding and soundness, and proof sketches for Theorems 1 and 2.

Hiding (Theorem 1)

The Term.

Hiding refers to the property that the adversary cannot do better than performing online password guessing attacks to learn an encrypted message, as long as it does not corrupt the server and at least t rate-limiters at the same time.

The new hiding definition used here consolidates the previous hiding, obliviousness, and forward security definitions of PHE [LER⁺18]. In particular, the new hiding definition captures attack strategies in which the adversary corrupts different parties at different points in time.

In previous security definitions of PHE [LER⁺18, LESC17], a corrupt party stays corrupt for the entire duration of the security experiments: In the hiding experiment the server is always corrupt, while in the partial obliviousness experiment the rate-limiter is always corrupt. It was unclear what the security guarantee is, for example, when the adversary first corrupts the server, instructs the parties to perform key-rotation, and then corrupt the rate-limiter. Forward security, which states that the tuples of rotated keys and updated ciphertexts are indistinguishable to fresh ones, suggests that there should be no relation between keys and ciphertexts created or refreshed at different times, but does not lead to a formal statement.

In order to explicitly state the security guarantees brought by key rotation, we merge the hiding, partial obliviousness and forward security definitions of PHE [LER⁺18] into a single new hiding definition, reefer to FIG. 15. Intuitively, hiding models the property that no party should be able to do better than online brute force attacks against the password space. As passwords have limited entropy, we limit the decryption queries the adversary can do using the counter DecCount which is bounded by Q_(Dec). At any given time, the adversary may either corrupt the server and up to t−1 rate limiters, or an arbitrary subset of rate-limiters but not the server. It can also allow the parties to execute an honest key-rotation, after which all parties are considered honest, and the adversary can corrupt a possibly different subset of parties again.

We focus on a static corruption model, where the adversary must declare the set of corrupt parties for the next time period when requesting for an honest key-rotation. Hererby, a time period is understood to be the time between two honest key-rotations. This corruption model is already stronger than that in previous work [LER⁺18,LESC17], where the adversary must declare the corrupt party at the very beginning of the experiment, and cannot change its choice throughout the experiment. We also define an adaptive variant, where the adversary can request to corrupt any party at any time.

The adversary

is given access to oracles for all interactions (encryption, decryption, key rotation, and ciphertext update) in the system. The oracles interfacing protocol executions take an indexed set of procedures and run the respective protocols with the honest code replaced by adversarially choosen methods according to that set. The encrypt and decrypt oracles Enc

and Dec

model normal interactions with adversarially choosen messages resp. ciphertexts. The decrypt challenge oracle DecCh

, in contrast, allows the adversary to observe interactions between an honest server and potentially malicious rate-limiters with the correct challenge password. The oracle Rot

allows the adversary to run the key rotation protocol. The adversary can request for an honest key-rotation, where the update token is not leaked to the adversary, while the set of corrupted parties is reset depending on the choice of the adversary. The adversary can also request for a malicious key-rotation, where the code of some parties are possibly replaced by malicious ones. The oracle Udt

allows updating any ciphertext with the most recent update token τ.

In the adaptive variant, the adversary can learn the current secret keys of parties of its choice using the corrupt oracle Corr

. Finally, the adversary can generate a challenge ciphertext using Ch

. Notice that the challenge may only be generated once and the server code used to generate the challenge ciphertext is honest (although the server key might be revealed via Corr

and Rot

). (A multi-challenge version of the definition is implied by the single-challenge one using standard hybrid argument.) Intuitively this is reasonable as a malicious server can store the message and the password outside the protocol, and therefore security for maliciously generated ciphertexts is unrealistic. Note that the adversary may no longer choose the server key for the challenge ciphertext which was allowed in previous definitions [LER⁺18,LESC17] in the case of honest rate-limiters. This simplifies the definition and we believe it is of limited practical interest to allow an adversarially choosen server key but honest execution of the server code.

We observe that the previous partial obliviousness definition of PHE does not cover a realistic attack: If the adversary controls the rate-limiter(s) it can act as an end-user and try an arbitrary number of passwords as it fully controls the rate-limiting. This attack was not captured, as the server withholds the decryption result if the adversary queries the decryption oracle on any of the two challenge passwords. In our hiding definition, we capture such an attack by not withholding the decryption result but have both the server and the rate-limiters restrict the number of login attempts. More precisely, we capture this by restricting the decryption queries independent of the set of corrupted parties.

Definition 1 (Hiding)

A (t, m)-PHE Π is hiding if, for any PPT adversary

, any integer Q_(Dec)≥0, and any password space

with support size of at least Q_(Dec),

${\frac{1}{2}{{{\Pr\left\lbrack {{{Hi}\left( {1^{\lambda},1^{m},1^{t}} \right)} = 1} \right\rbrack} - {\Pr\left\lbrack {{{Hi}\left( {1^{\lambda},1^{m},1^{t}} \right)} = 1} \right\rbrack}}}} \leq {\frac{Q_{Dec}}{} + {{{negl}(\lambda)}.}}$

For simplicity, we assume that passwords are distributed uniformly in the password space. The definition can be easily generalized to cover arbitrary password distributions.

Proof.

We want to prove that the construction according to the invention is hiding (under static corruption). That is, for any PPT adversary

, any integer Q_(Dec)≥0, and a uniform password distribution

with |

|≥Q_(Dec),

${\frac{1}{2}{{{\Pr\left\lbrack {{{Hi}\left( {1^{\lambda},1^{m},1^{t}} \right)} = 1} \right\rbrack} - {\Pr\left\lbrack {{{Hi}\left( {1^{\lambda},1^{m},1^{t}} \right)} = 1} \right\rbrack}}}} \leq {\frac{Q_{Dec}}{} + {{{negl}(\lambda)}.}}$

We will prove the above statement via a typical hybrid argument, for that we define the following hybrid experiments:

-   -   Hyb_(b,0) is identical to Hi         (1^(λ), 1^(m), 1^(t)).     -   Hyb_(b,1) is mostly identical to Hyb_(b,0), except that all         zero-knowledge proofs are simulated by running the simulator of         the NIZKPoK scheme. It it straightforward to show that, for all         b∈{0, 1},         |Pr[Hyb _(b,0)=1]−Pr[Hyb _(b,1)=1]|≤neg|(λ)     -   using the zero-knowledge property of the NIZKPoK scheme.     -   Hyb_(b,2) is mostly identical to Hyb_(b,1), except that when an         honest key rotation is triggered (the adversary queries the Rot         oracle with HonestRot=1), the secret key components (k_(i), K₀,         {K _(j)}_(j=0) ^(t-1)) are freshly generated. For all b∈{0, 1},         note that Hyb_(b,1) and Hyb_(b,2) are functionally equivalent,         therefore         Pr[Hyb _(b,1)=1]=Pr[Hyb _(b,2)=1].     -   Hyb_(b,3,0) is identical to Hyb_(b,2).     -   Hyb_(b,3,q), where q∈[Q_(Dec)], is mostly identical to         Hyb_(b,q-1), except that when answering the adversary's q-th         query to the Dec         oracle which triggers the increment of the counter DecCount         (called a critical query hereinafter), the group elements sent         by honest parties are replaced by uniformly random elements, and         the output M of the server (if honest) is always the empty         string ϵ.

It remains to show that for all b∈{0, 1} and all q∈[Q_(Dec)],

${{{{\Pr\left\lbrack {{Hyb_{b,3,{q - 1}}} = 1} \right\rbrack} - {\Pr\left\lbrack {{{Hy}b_{b,3,q}} = 1} \right\rbrack}}} \leq {\frac{1}{} + {{negl}(\lambda)}}},{{{and}{{{\Pr\left\lbrack {{Hyb_{0,3,Q_{Dec}}} = 1} \right\rbrack} - {P{r\left\lbrack {{Hyb_{1,3,Q_{Dec}}} = 1} \right\rbrack}}}}} \leq {{{negl}(\lambda)}.}}$

The theorem then follows.

From Hyb_(b,3,q-1) to Hyb_(b,3,q)

We show that

${{{\Pr\left\lbrack {{Hyb_{b,3,{q - 1}}} = 1} \right\rbrack} - {P{r\left\lbrack {{Hyb_{b,3,q}} = 1} \right\rbrack}}}} \leq {\frac{1}{} + {{negl}(\lambda)}}$ under the DDH assumption in the random oracle model for all b∈{0, 1} and q∈[Q_(Dec)].

We define an intermediate hybrid experiment Hyb′_(b,3,q), which is mostly identical to Hyb_(b,3,q) except that when answering the adversary's q-th critical query, the message M output by the server, if honest, is computed honestly.

We can immediately see that

${{{\Pr\left\lbrack {{Hyb}_{b,3,q}^{\prime} = 1} \right\rbrack} - {P{r\left\lbrack {{Hyb_{b,3,q}} = 1} \right\rbrack}}}} \leq \frac{1}{}$ since the only way to distinguish between the two is to query Dec

and thus the random oracles H₀ and H₁ on (pw*,n*).

It thus suffices to show that |Pr[Hyb _(b,3,q-1)=1]−Pr[Hyb′ _(b,3,q)=1]|≤neg|(λ) under the DDH assumption.

Suppose not, we construct an adversary

against DDH as follows. Let the t-th honest key rotation query be the latest one before the q-th critical query. Let I be the set of corrupt parties requested by

during the t-th honest key rotation query. We consider two cases.

Case 1: 0∉I.

Without loss of generality, we can assume that I=[m]. In this case,

receives a DDH instance (G, G^(α), G^(β), G^(γ)), and set K₀:=G^(α) when answering the t-th honest key rotation query. Note that

does not know k₀:=α and hence, during the time between the t-th and (t+1)-st honest key rotation, cannot answer Dec

oracle queries honestly.

however has knowledge of k ₀ for which K ₀=G ^(k) ⁰ .

therefore simulate the answers to Dec

oracle queries during this time period as follows. It is to be noted that

can answer DecCh

oracle queries honestly since it does not need to return the view of

, while the views of

_(i) for all i∈[m] can be computed without knowing k₀.

computes the views of all parties honestly except for the values U₀, V₀, T₀ and T′₀. For the q-th query,

sets U₀:=G^(β) and V₀:=G^(γ)·G^(βk) ⁰ ·Y_(0,0) ⁻¹. For other queries,

computes U₀ and V₀ honestly. For all queries, to compute T₀ and T′₀,

runs the extractor of the NIZKPoK to extract the discrete logarithm ũ and ũ′ such that Ũ=G^(ũ) and Ũ′=G^(ũ′). It then compute T₀:=G^(αũ) and T′₀:=G^(αũ′).

Clearly, if (G, G^(α), G^(β), G^(γ)) is a DH tuple,

simulates Hyb_(b,3,q-1) perfectly. Else, if (G, G^(α), G^(β), G^(γ)) is a random tuple,

simulates Hyb′_(b,3,q) perfectly. The claim then follows.

Case 2: 0∈I.

Without loss of generality, we can assume that I={0, i₁, . . . , i_(t-1)} for some Ĩ:={i₁, . . . , i_(t-1)i}⊆[m]. In this case, let M_(I) be the following (t−1)-by-t matrix

$M_{I}:={\begin{bmatrix} 1 & i_{1} & \cdots & i_{1}^{t - 1} \\ \vdots & \vdots & \ddots & \vdots \\ 1 & i_{t - 1} & \cdots & i_{t - 1}^{t - 1} \end{bmatrix}.}$

receives a DDH instance (G, G^(α), G^(β), G^(γ)). When answering the t-th honest key rotation query,

generates secret key shares for the combined public key K ₀:=G^(α). For this, it samples a random vector {right arrow over (u)}:=(u₀, . . . , u_(t-1))^(T)←s Ker(M_(I)) in the kernel of M_(I), i.e., M_(I){right arrow over (u)}={right arrow over (0)}. It also samples a random vector {right arrow over (v)}=(v₀, . . . , v_(t-1))^(T)←s

_(p) ^(t). It sets K _(j):=G^(αu) ^(j) ^(+u) ^(j) for all j∈[0, t−1]. For the corrupt parties i∈Ĩ,

can compute secret Keys k_(i) without knowledge of α as k_(i):=Σ_(j=0) ^(t-1)(αu_(j)+v_(j))i^(j)=Σ_(j=0) ^(t-1)v_(j)i^(j) (since M_(I){right arrow over (u)}={right arrow over (0)}), which are then returned to

. Note that

does not know k_(i):=Σ_(j=0) ^(t-1)(αu_(j)+v_(j))i^(j) for the honest parties i∉Ĩ and hence, during the time between the t-th and (t+1)-st honest key rotation, cannot answer Dec

oracle queries honestly.

can however simulate the views of all parties in a Dec

query using the DDH instance and the extractor of the NIZKPoK as in case 1. We thus arrive at a similar conclusion that, if (G, G^(α), G^(β), G^(γ)) is a DH tuple,

simulates Hyb_(b,3,q-1) perfectly and, if (G, G^(α), G^(β), G^(γ)) is a random tuple,

simulates Hyb′_(b,3,q) perfectly. The claim then follows.

From Hyb_(0,3,Q) _(Dec) to Hyb_(1,3,Q) _(Dec)

We show that |Pr[Hyb _(0,3,Q) _(Dec) =1]−Pr[Hyb _(1,3,Q) _(Dec) =1]|≤neg|(λ) assuming the CCA-security of SKE and DDH.

Suppose not, we construct an adversary

against the CCA-security of SKE or DDH as follows. Let the t-th honest key rotation query be the latest one before the Ch

_(b) oracle query. Let I be the set of corrupt parties requested by

during the t-th honest key rotation query. We consider two cases.

Case 1: 0∉I.

Without loss of generality, we can assume that I=[m]. In this case, note that

remains uncorrupt when answering the Ch

_(b) oracle query, as well as the last (say t′-th, potentially malicious) key rotation query. For the t′-th key rotation query,

simulates most secret key components honestly, except that it sets s₀:=ϵ. To generate the challenge ciphertext,

computes C₀:=H₀(pw*, n*)H₀(n*) ^(s) ⁰ and C_(1,b):=H₁(pw*,n*)H₁(n*) ^(s) ⁰ M_(b)* by interacting with the possibly malicious rate-limiters. It then submits (C₀, C_(1,0)) and (C₀, C_(1,1)) to the challenge oracle of SKE. During the time between the t′-th and the (t′+1)-st key rotation queries, whenever SKE.Enc(s₀, ⋅) is supposed to be executed (except when answering the Ch

_(b) oracle query),

delegates the computation to the encryption oracle of SKE.

makes a random guess b′ of the random bit used by the SKE challenger. Whenever SKE.Dec(s₀, ⋅) is supposed to be executed on the challenge ciphertext C*, the return value is replaced by (C₀, C_(1,b′)). When it is supposed to be executed on other non-challenge ciphertext,

delegates the computation to the decryption oracle of SKE. Clearly, when the guess b′ is correct,

perfectly simulates the environments of Hyb_(0,3,Q) _(Dec) or Hyb_(1,3,Q) _(Dec) , depending on the secret bit chosen by the SKE challenger.

Case 2: 0∈I.

We define an intermediate hybrid Hyb′_(b,3,Q) _(Dec) which is mostly identical to Hyb_(0,3,Q) _(Dec) , except that when generating the challenge ciphertext, the experiment samples (C₀, C₁)←s

² uniformly at random (independent of M_(b)*). Clearly Hyb′_(0,3,Q) _(Dec) and Hyb′_(1,3Q) _(Dec) are functionally equivalent. It therefore suffices to prove that |Pr[Hyb′ _(b,3,Q) _(Dec) =1]−Pr[Hyb _(b,3,Q) _(Dec) =1]|≤neg|(λ)

Without loss of generality, we can assume that I={0, i₁, . . . , i_(t-1)} for some Ĩ:={i₁, . . . , i_(t-1)}⊆[m]. In this case, we will make use of the matrix M_(I) defined above, and simulate the secret key components s_(i) for i∈Ĩ in a similar fashion. As before, although

does not possess the knowledge of s_(i) (but only G^(s) ^(i) ) for i∉Ĩ, encryption and decryption can be simulated given a DDH instance and by programming the random oracles. As an example, to compute H₀(n)^(s) ^(i) and H₁(n)^(s) ^(i) for n≠n*,

first samples x₀ and x₁ and programs H₀(n):=G^(x) ⁰ and H₁(n):=G^(x) ¹ . It can then compute H₀(n)^(s) ^(i) =G^(z) ⁰ ^(s) ^(i) and H₁(n)^(s) ^(i) =G^(x) ¹ ^(s) ^(i) . For n=n*,

programs the random oracle similarly except that G^(z) ⁰ and G^(z) ¹ are derived from the DDH instance. If

is given a DH instance, it simulates Hyb_(b,3,Q) _(Dec) perfectly. Otherwise,

is given a random instance, and it simulates Hyb′_(b,3,Q) _(Dec) perfectly. The claim then follows.

Soundness (Theorem 2)

The Term.

Soundness refers to the property that the server cannot be fooled to make wrong decisions during decryption. More precisely, it means that, for any fixed server secret key, a ciphertext cannot encode two different valid password-message pairs at the same time.

Our soundness definition consolidates the previous ones by capturing all attack strategies in a single security experiment. This definition is inspired by that of complete robustness of encryption schemes [FLPQ13], which in turn consolidates various robustness notions for encryption.

We define soundness of (t, m)-PHE which consolidates the soundness and strong soundness notions of PHE [LER⁺18]. Intuitively, these notions model the security property that the rate-limiter(s) should not be able to deceive the server, e.g., to convince the server that a false candidate password is correct, or to trick the server to decrypt a ciphertext into two distinct messages. The soundness and strong soundness of PHE [LER⁺18] are modeled by two security experiments which have complicated winning conditions, since there are many ways for the rate-limiter to deceive the server.

To capture this intuitive security property in a simpler way, we take inspirations from the complete robustness definition [FLPQ13] for encryption schemes, which intuitively captures the property that a ciphertext cannot be encrypting two distinct messages. Roughly speaking, the soundness of PHE requires that there is no inconsistency between an encryption session and a decryption session, whereas the strong soundness notion further requires that there is no inconsistency between two decryption sessions. To capture both deception strategies simultaneously, we define a robustness experiment where the adversary is given an encryption oracle and a decryption oracle. The former takes as input all the inputs of the server, including the randomness, during an encryption session, and possibly malicious programs for all the rate-limiters. The oracle then runs the encryption protocol between an honest execution of the server code on the given input, and the possibly malicious rate-limiters. The decryption oracle is defined in a similar way, except that the decryption protocol is run. Refer to FIG. 16 for an overview of the experiments.

The adversary is successful if an inconsistency occur between the communication transcripts produced by any two oracle queries.

Definition 2 (Soundness)

A (t, m)-PHE Π is sound if, for any PPT adversary

, Pr[Soundness_(Π,)

⁰(1^(λ),1^(m),1^(t))=1]≤neg|(λ). Proof.

We give a high level idea of why an adversary against soundness cannot exist in the random oracle model, under the discrete logarithm assumption. Suppose such an adversary

exists, we consider the following experiment. First, it runs

as in the soundness experiment until

outputs the indices (i, j). It then retrieves (sk₀, n, C, pw, M):=Queries[i] and (sk′₀, n′, C′, pw′, M′):=Queries[j]. With non-negligible probability, the condition b₀∧b₁∧(b₂∨b₃) is satisfied. Since b₀∧b₁ is satisfied, we have (sk ₀ ,C)=(sk′ ₀ ,C′)∧M≠⊥∧M′≠⊥.

By the second condition, we can deduce that regardless of whether these tuples were created during an encryption or decryption oracle query, the server did not abort the protocol. Thus, we must have KVf(0,sk₀)=1, which means sk₀ is of the form sk₀=(s₀, k₀, S₀, K₀, {S _(j), K _(j)}_(j=0) ^(t-1)) where K₀=G^(k) ⁰ . In the following, let (C₀, C₁)←SKE.Dec(s₀, C).

Suppose (sk₀, n, C, pw, M) is created during an encryption oracle query. Then we must have M≠ϵ. By running the extractor ε, whose existence is guaranteed by the proof of knowledge property of the NIZKPoK, on the proofs generated by the (possibly malicious) rate-limiters, the reduction can extract so such that C ₀ =H ₀(pw,n)H ₀(n) ^(s) ⁰   (1) C ₁ =H ₁(pw,n)H ₁(n) ^(s) ⁰ M.  (2)

Similarly, if (sk′₀, n′, C′, pw′, M′) is created during an encryption oracle query, then M′≠ϵ, and the reduction can extract s ₀ such that C ₀ =H ₀(pw′,n′)H ₀(n′) ^(s) ⁰   (3) C ₁ =H ₁(pw′,n′)H ₁(n′) ^(s) ⁰ M′.  (4)

Suppose (sk₀, n, C, pw, M) is created during a decryption oracle query, we consider two cases: 1) M≠ϵ, and 2) M=ϵ. In the first case, the extraction process is slightly more complicated than when the tuple is created via encryption. Nevertheless, the experiment can also extract s ₀ so that it satisfies the above relations. In the second case, we can deduce that C ₀ ≠H ₀(pw,n)H ₀(n) ^(s) ⁰ .  (5)

Similar conclusion can be made if (sk′₀, n′, C′, pw′, M′) is created during a decryption oracle query.

Next, we examine the conditions b₂ and b₃, where at least one of them must be satisfied. Suppose b₂ is satisfied, we have ((n, pw)=(n′, pw′))∧(M≠M′). There are two possibilities.

-   -   1. M=ϵ and M′≠ϵ (or M≠ϵ and M′≠ϵ): Since M=ϵ, the tuple must         have been produced via decryption, and by Equation (5) we have         C₀≠H₀(pw,n)H₀(n) ^(s) ⁰ . However, since M′≠ϵ, by Equation (3)         we have C₀=H₀(pw, n)H₀(n) ^(s) ⁰ (note that (n, pw)=(n′, pw′))         which is a contradiction.     -   2. M≠ϵ and M′≠ϵ: From Equations (2) and (4) we can deduce that         M=M′, which is a contradiction.

Suppose b₃ is satisfied, we have ((n, pw)≠(n′, pw′))∧(M, M′∈

). Since M, M′∈

, we must have M≠ϵ and M′≠ϵ. Then, from Equations (1) and (3), we can deduce H ₀(pw,n)H ₀(n) ^(s) ⁰ H ₀(pw′,n′)⁻¹ H ₀(n′)˜ ^(s) ⁰ =I

However, since (n, pw)≠(n′, pw′), H₀(pw, n) and H₀(pw′, n′) are independent random elements, we obtain a non-trivial discrete logarithm representation of the identity element, which violates the discrete logarithm assumption. 

What is claimed is:
 1. A computer-implemented method for encrypting data by a server in cooperation with a predetermined number (m) of rate limiters, the predetermined number (m) being greater than 1, each of the rate-limiters being a respective processing unit different from each other and from the server, and having a respective secret key (sk₁, . . . , sk_(t), . . . , sk_(m)), the server having a predetermined secret key (sk₀), the method comprising: receiving, by the server, from the user, a user identification (un), and a password (pw) to be encrypted, creating, by the server, a secret message (M), the secret message (M) being a key suitable for use with a predetermined symmetric key encryption/decryption scheme, generating, by the server in cooperation with a subset (P) of a size (t′) which is equal to or greater than a predetermined threshold (t), out of the predetermined number (m) of rate limiters, on the basis of a predetermined interactive cryptographic encryption protocol, a ciphertext (C) which encrypts the user password (pw), and the secret message (M) using the respective secret keys (sk_(i)) of the rate limiters of the subset (P), the threshold (t) being smaller than or equal to the predetermined number (m) of rate limiters, and the predetermined interactive cryptographic protocol being adapted such that the server needs only to interact with a subset (P) of the predetermined size (t) of the predetermined number (m) of rate limiters for decryption of the ciphertext (C) to recover the secret message (M), storing, by the server, the ciphertext (C), in association with the user identification (un); and deleting the secret message (M), and the password (pw).
 2. The method of claim 1, further comprising generating, by the server, a server nonce (n_(o)), on the basis of a predetermined random process, receiving, by the server, a predetermined number (m) of rate-limiter nonces (n₁, . . . , n _(i), . . . , n_(m)), each rate-limiter nonce (n_(i)) created by a respective rate-limiter on a basis of a random operation, making known the nonces to the predetermined number (m) of rate limiters, using the nonces for generating the ciphertext (C).
 3. The method of the claim 2, wherein: the ciphertext (C) is a tuple (C₀, C₁) encrypted with a predetermined symmetric encryption key (s₀) which is a part of the server secret key (sk₀), the tuple (C₀, C₁) being computed as C ₀ =H ₀(pw,n)·H ₀(n) ^(s) ⁰ C ₁ =H ₁(pw,n)·H ₁(n) ^(s) ⁰ ·M wherein: H₀, H₁ representing independent Hash functions, s ₀ is part of a conceptual rate-limiter key which is secret-shared to the predetermined number (m) of rate-limiters on the basis of a predetermined linear secret sharing scheme with a reconstruction threshold equal to the subset (P) wherein for a given subset (P) of rate limiters, there exists a public linear combination such that s ₀=Σ_(j=1) ^(t)λ_(j)s_(i) _(j) holds, with t denoting the number of rate-limiters of the subset (P); λ being a predetermined security parameter.
 4. The method of claim 3, wherein: for any subset (P) of the number (in) of rate-limiters H₀, H₁ can be expressed as H ₀(n) ^(s) ⁰ =H ₀(n)^(Σ) ^(i∈P) ^(λ) ^(P,i) ^(s) ^(i) and H ₁(n) ^(s) ⁰ =H ₁(n)^(Σ) ^(i∈P) ^(λ) ^(P,i) ^(s) ^(i) .
 5. The method of claim 3, further comprising running, by the server, prior to creating the secret message (M), a setup algorithm comprising: defining the threshold (t), and the number (m) of rate limiters, generating the server secret key (sk₀), and generating for each rate limiter (i) of the predetermined number (m) of rate-limiters the respective secret key (sk_(i)), such that from each secret key (sk₀, . . . , sk_(m)) the size (t) of the subset (P) of rate limiters, and the number (m) can be derived wherein the setup algorithm further comprises: running a group generation algorithm which maps the security parameter (1 ^(λ)) to the description of a cyclic group GG (G, p, G) of prime order q with generator G, each of the secret keys (sk₀, . . . , sk_(m)) has the format (s_(i), k_(i), S₀, K₀, {S _(j), K _(j)}_(j=0) ^(t−1)) and satisfies the following properties: ${G^{s_{i}} = {\prod_{j = 0}^{t - 1}{\overset{\_}{S_{J}^{\iota}}}^{J}}},{i \in \lbrack m\rbrack}$ $G^{k_{i}} = \left\{ \begin{matrix} K_{G} & {i = 0} \\ {\prod_{j = 0}^{t - 1}{\overset{\_}{K_{J}^{\iota}}}^{J}} & {i \in \lbrack m\rbrack} \end{matrix} \right.$
 6. The method of claim 5, further comprising: verifying the validity of the secret keys (sk₀, . . . , sk_(m)) by applying the following scheme: if  i = 0  then return  (G^(s₀) = S₀ ⩓ G^(k₀) = K₀) else ${return}\left( {G^{s_{i}} = {{{\prod_{j = 0}^{t - 1}{\overset{\_}{S_{J}^{\iota}}}^{J}} ⩓ G^{k_{i}}} = {\prod_{j = 0}^{t - 1}{\overset{\_}{K_{J}^{\iota}}}^{J}}}} \right)$ endif.
 7. The method of claim 1, further comprising: receiving, by the server, form the user, along with receiving the user identification (un), and the password (pw), user data (ud) to be encrypted, encrypting, by the server, the user data (ud) by applying a predetermined user data symmetric key encryption/decryption scheme using the secret message (M) as encryption key, and storing, by the server, the encrypted user data (ud).
 8. A computer-implemented method for decrypting data by a server, in cooperation with a predetermined number of rate-limiters, the data being encrypted by the method of claim 1, the decrypting method comprising: receiving, by the sewer, from the user a user identification (un), and the password (pw), retrieving, by the server, the ciphertext (C), and the encrypted data stored in association with the user identification (un), recovering the secret message (M) by decrypting, by the server with its secret key (sk₀) in cooperation with a subset (P) of a size (t′), which is equal to or greater than the predetermined threshold (t), out of the predetermined number (m) of rate limiters with their respective secret keys (sk_(i)), the ciphertext (C), and deleting, by the server, the secret message (M) and the user password (pw).
 9. The method of claim 8, further comprising: each rate-limiter associating a counter with the user identification (un), and incrementing the counter if the verification step fails due to a received incorrect password (pw), aborting the current decryption session, and blocking further receiving user identification and password for a predetermined time of at least the user to which a the counter is associated.
 10. The method of claim 1, further comprising: sending, by the server, the secret (n) to the subset (P′) of rate-limiters; computing, by the server, the value Y _(0,0) :=C ₀ ·H ₀(pw,n)⁻¹ initiating the i-th rate-limiter of the subset (P′) of rate-limiters to compute the value Y _(i,0) :=H ₀(n)^(s) ^(i) , verifying that Y _(0,0)=Π_(i∈P)Y_(i,0) ^(λ) ^(P,i) by the server and the subset (P′) of rate-limiters performing the steps of: a) computing the encryption of the value Z:=Y _(0,0) ⁻¹Π_(i∈P) Y _(i,0) ^(λ) ^(P,i) with the key K=K₀·K ₀ the key K being the public key associated with a secret key which is secret-shared among the server and the subset (P′) of rate-limiters; b) computing an encryption of the values

and

·H₁(n) ^(s) ⁰ , for random

and

. c) obtaining H₁ (n) ^(s) ⁰ by decrypting Z the values Y_(t); checking that

=I I being an identity element; and recovering the secret message (M) therefrom.
 11. The method of claim 10, further comprising: each rate-limiter implementing a counter, and incrementing the counter if the verification step fails due to a received incorrect password (un), aborting the current decryption session, and blocking further receiving user identification and password for a predetermined time.
 12. A computer-implemented method for decrypting data by a server, in cooperation with a predetermined number of rate-limiters, the data being encrypted by the method of claim 10, the decrypting method comprising: receiving, by the server, from the user a user identification (un), and the password (pw), retrieving, by the server, the ciphertext (C), and the encrypted data stored in association with the user identification (un), recovering the secret message (M) by decrypting, by the server with its secret key (sk₀) in cooperation with a subset (P) of a size (t′), which is equal to or greater than the predetermined threshold (t), out of the predetermined number (m) of rate limiters with their respective secret keys (sk_(i)), the ciphertext (C), and deleting, by the server, the secret message (M) and the user password (pw), the method further comprising: decrypting, by the server, the encrypted user data (ud), by applying the predetermined user data symmetric key encryption/decryption scheme using the secret message (M) as decryption key.
 13. The method of claim 1, further comprising: running, by the server, prior to creating the secret message (M), a setup algorithm comprising: defining the threshold (t), and the number (m) of rate limiters, generating the server secret key (sk₀), and generating for each rate limiter (i) of the predetermined number (m) of rate-limiters the respective secret key (sk_(i)), such that from each secret key (sk₀, . . . , sk_(m)) the size (t) of the subset (P) of rate limiters, and the number (m) can be derived.
 14. The method of claim 1, further comprising: initiated by the server at least one rate limiter out of the predetermined number (m) of rate limiters to perform, a rotation of the secret keys according to a predetermined key rotation protocol, and performing, by the server, an algorithm for updating the ciphertext (C) to an updated ciphertext (C′) with keys produced in the key rotation protocol.
 15. The method of claim 14, wherein the key rotation protocol comprises: initiating a rate limiter of the predetermined number (m) of rate limiters to request at least a part (r) of the predetermined number (m) of rate limiters to perform a respective key rotation, and receiving confirmation of the requested rate limiters about key rotation.
 16. The method of claim 15, wherein the key rotation protocol comprises: requesting, by the server or initiating a rate limiter of the predetermined number (m) of rate limiters, a part (r) of the predetermined number (m) of rate limiters to perform a respective key rotation, to obtain updated secret keys (sk′₁, . . . sk′_(r)), deriving an update token for updating the ciphertext (C).
 17. The method of claim 16, wherein the key rotation comprises: updating sk _(i)=(s _(i) , k _(i) , S ₀ , K ₀, { S _(j) , K _(j)}_(j=0) ^(t−1)) to sk′ _(i)=(s′ _(i) , k′ _(i) , S′ ₀ , K′ ₀, {S′_(j) , K′ _(j)}_(j=0) ^(t−1)) where s′₀ is a new symmetric encryption key, and the following properties hold: $\begin{matrix} \; & {K_{0}^{\prime} = {K_{0}^{\gamma} = G^{k\;\prime_{o}}}} \\ {\forall{j \in \left\lbrack {0,{t - 1}} \right\rbrack}} & {{\overset{\_}{S}}_{j}^{\prime} = {{\overset{\_}{S}}_{J}G^{{\overset{\_}{\beta}}_{J}}}} \\ {\forall{j \in \left\lbrack {0,{t - 1}} \right\rbrack}} & {{{\overset{\_}{K}}_{j}^{\prime} = {\overset{\_}{K_{J}^{\gamma}}G^{{\overset{\_}{\delta}}_{J}}}},} \\ {\forall{i \in \lbrack m\rbrack}} & {G^{s\;\prime_{i}} = {\prod_{j = 0}{\overset{\_}{S}}_{j}^{\prime\; i^{j}}}} \\ {\forall{i \in \lbrack m\rbrack}} & {G^{k\;\prime_{i}} = {\prod_{j = 0}{\overset{\_}{K}}_{j}^{\prime\; i^{j}}}} \end{matrix}$ for β ₀, β _(t−1), γ, δ ₀, . . . , δ _(t−1) being random integers sampled by the server, and the update token being defined as (s₀, s′₀, β ₀), updating the ciphertext (C) to the updated ciphertext (C′) such that the updated ciphertext (C′) is given by encrypting the tuple (C0′, C1′) with the new symmetric encryption key (s′₀) where C′ ₀ :=C ₀ ·H ₀(n) ^(β) ⁰ and C′ ₁ :=C ₁ ·H ₁(n) ^(β) ⁰ n being a nonce produced by the server.
 18. The method of claim 17, wherein the subset (P) of the predetermined number (m) of rate limiters is selected according to a predetermined access criterion. 